What is the best way to protect your network? ;)

RichardJansma

I believe there are many people here that protects internet networks and using various products...

my Home network is setup by

1. ISP DSL (From so home Cable) ISP Modem
2. Syfer
3. Ubiquiti UniFi Security Gateway USG Pro
4. Ubiquitin UniFi Switch (48 Port 500w Poe+)
5. Ubiquiti Unifi AP Pro

and then all onther devices. Including Synology nas and more.

also to connect we use MAC adresses

is this good and maybe any tips and tricks ;)

And what do you guys have?

Yours Sincerely,

Richard Jansma

Hypnotist, Master Magnetist, Dataist & Believer of future technology!

VioletChepil

@Joe @KayJay @John @TheCustomCave - anything to add on protecting your network! 

KayJay

Wow!  To me, it seems like you are pretty much covered...way more than what I have in my network.  Currently, I only have the following:

• ISP-provided modem/router
• Fingbox
• All other devices
  

You've got me looking into that Syfer product now

kltaylor

For the devices themselves, you have a great setup.  Using Sypher and not solely relying on the capabilities of a DSL modem is very smart.

The only suggestion that I can provide is to disable UPnP in Sypher, and be careful of how many open ports you configure for data traffic.  MAC addresses can be spoofed, so be wary of relying a lot on that.  Cycle through passwords on a rotation, change it every x weeks or months.  Use a password generated password to ensure a secure environment.  Never use human-readable words for your passwords, using a password generator and distributing that selectively is a great way to manage it.

Lee_Bo

Cable modem from ISP, Ubiquity hardware, Fingbox.  Fingbox set up to automatically block new devices.  My setup is probably overkill for a home network but I'd rather spend a few extra dollars and be safe.

Joe

If you have any VoIP services, make sure you enable any firewalls to block port 5060 from anything other than your known VoIP provider. I spotted some git from Russia trying to hack my Asterisk PBX.

Pooh

I'm seriously thinking of segmenting my Roku's, Receivers, BluRay player & Wii into the guest SSID just so they don't get to see the main network.

kltaylor

Joe said:

If you have any VoIP services, make sure you enable any firewalls to block port 5060 from anything other than your known VoIP provider. I spotted some git from Russia trying to hack my Asterisk PBX.

First of all ... you said 'git'   I haven't heard that in, ahem ... decades.

That's good advice to lock down the SIP port to only receive from a specific IP.  Should be able to obtain that information from the provider easily enough.

kltaylor

Pooh said:

I'm seriously thinking of segmenting my Roku's, Receivers, BluRay player & Wii into the guest SSID just so they don't get to see the main network.

Unless there is a reason for an IoT device to access the LAN, more specifically for access to shared storage, I would absolutely do that.  If your router allows you to add more than one SSID, create one that only has access to the inter-webs, but still needs a strong password to join.

Pooh

kltaylor said:
First of all ... you said 'git'   I haven't heard that in, ahem ... decades.

I've been training the folks here in Cincinnati, Ohio to speak 'proper' English. So much easier now I can say 'owt', 'nowt', 'butchers', 'dog n bone', 'muppet', 'knackered' and some of the more colourful English colloquialisms in regular conversations.

git however is in regular parlance after Linux Torvalds named his source code control system 'git'. Telling folk the reason behind the name is still fun, though

kltaylor

Pooh said:

kltaylor said:
First of all ... you said 'git'   I haven't heard that in, ahem ... decades.

I've been training the folks here in Cincinnati, Ohio to speak 'proper' English. So much easier now I can say 'owt', 'nowt', 'butchers', 'dog n bone', 'muppet', 'knackered' and some of the more colourful English colloquialisms in regular conversations.

git however is in regular parlance after Linux Torvalds named his source code control system 'git'. Telling folk the reason behind the name is still fun, though

Heh... Muppet.

Git was a term that was used back when I was growing up, could easily start fights over being called it, too. 

Ahhh ... memories.

TheCustomCave

It's a bit of a complex topic really as you've got to account for myriad vectors for attack, or intrusion, or phishing, or simply accidentally bringing some malware into the network.

I am fortunate enough to run on enterprise grade hardware, using Meraki devices for my security appliance and then a combination of Ruckus and Meraki for my WiFi access points too.

Passwords are an interesting one. Ideally points of entropy are the first port of call - a longer password with more characters is more secure than a short one with mixed letters, numbers, symbols etc.
Ideally using the browsers's secure password generator (if available), or another password manager to generate and store secure passwords which are unique to each website/service you use.

Locking down anything you can within your router's configuration, close ports you don't need to have open, geoblocking IP address ranges outside of any you don't personally deal with. Those will get you a nice start.

Have decent antivirus installed (not Norton/Symantec), make sure it's running real time protection, make sure it's updated at least every day.
If you can, lock down your user account so you don't have Admin access by default. Enable UAC, set it at the highest level you can be bothered with.

Always have at least 3 copies of all important data, in at least 2 physical locations.

Ad-blocking is another one which is useful, it reduces the chances of pulling malware onto your machine. I use Pi-hole on my network, but there's also Ghostery and uBlock Origin for most browsers on Windows.

I realise this is getting more into general safety here, but it all goes to help keep your network safe.
There's plenty of other information to add but I'll give you all a rest for now.

kltaylor

In regards to protecting your network, or in this case on the client level, I just came across this little tidbit:

https://simplednscrypt.org/

While I mainly use Firefox as my default browser, and DNS over HTTPS is a toggle in the Options -> Network Settings portion, I've also installed this on my work machine and laptop so far.

Curious to hear some input on it, so far it's working as intended.

Lee_Bo

kltaylor said:

Joe said:

If you have any VoIP services, make sure you enable any firewalls to block port 5060 from anything other than your known VoIP provider. I spotted some git from Russia trying to hack my Asterisk PBX.

First of all ... you said 'git'   I haven't heard that in, ahem ... decades.

That's good advice to lock down the SIP port to only receive from a specific IP.  Should be able to obtain that information from the provider easily enough.

kltaylor said:

First of all ... you said 'git'   I haven't heard that in, ahem ... decades.

That's good advice to lock down the SIP port to only receive from a specific IP.  Should be able to obtain that information from the provider easily enough.

atomicboy

I run a Firewall appliance using Untangle in bridge mode behind my router on the Lan side. Typically a Firewall appliance is installed at the “edge” of a network however I run a set of VPN tunnels from my multi WAN router to an AWS EC2 instance that for simplicity, I do not want to screw around with. I did try running PF Sense. After spending much time and effort, I could not get it to run in bridge mode where as Untangle facilitates this as part of the initial install. The default Untangle settings are very good out of the box. My appliance is a “cheap” fan-less Qotom with an I5 processor which I upgraded the SSD on. The Untangle forum is very user friendly for those less knowledgeable.
The Fixed Wireless Router/Modems that my ISP provides do not expose the firewall so I have no idea how good they are and lots get them and are caught by my Untangle Firewall which uses a dynamic list from a threat service. I do not use my main commercial router’s firewall as I am not proficient enough to build the rule set required.
I also use scanning programs and VPN programs. 
So my biggest threat is in my actions in how I use the internet.